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Over the last 20 years a large number of automata-based specification theories have been proposed for 
modeling of discrete, real-time and probabilistic systems. We have observed a lot of shared algebraic 
structure between these formalisms. In this short abstract, we collect results of our work in progress 
on describing and systematizing the algebraic assumptions in specification theories. 



1 Introduction 

Specification formalisms commonly support two main ways of combining specifications: conjunction and 
parallel composition. The former, conjunction, is more common in specification logics (such as temporal 
logics [4]). It focuses on combining distinct views on the same system, or a component. The latter, parallel 
composition, more often discussed in process algebraic approaches [^], talks about structurally composing 
two or more communicating systems. 

Recently a few specification theories have been developed that support both parallel composition 
and conjunction (for example [7, 6]). Interestingly, placing both parallel composition and conjunction in 
the same theoretical framework raises a lot of natural questions. When presenting the results of [ ] and 
[^>], we have received a wide range of opinions about the two operators, ranging from composition and 
conjunction are radically dijferent, through they are easy to confuse, and hard to distinguish to extreme 
ones such as conjunction and parallel composition are essentially the same. A more diligent insight into 
the properties of the two operators shows that each of the opinions is in a way justified. For example 
conjunction satisfies the most essential axioms of parallel composition in some cases, and both operators 
are computed as pruning results of a certain kind of product. 

In this note we collect most important observations about similarities, relations and differences 
between conjunction and parallel composition in specification theories, as we have experienced in our 
prior work. First, we show that parallel composition rejines conjunction for a broad class of single -player 
specification theories. Under the rather general assumptions that conjunction is the greatest-lower bound 
with respect to refinement, and the refinement is a precongruence for parallel composition, we show 
that existence of a certain kind of universal specification suffices for parallel composition to be always 
a stronger operator than conjunction (stronger as defined by the refinement relation). This fact is easily 
observed using basic properties of the order theory. It is not necessary to assume any specific properties 
about the specification language. An interesting side-effect is that parallel composition behaves much 
like conjunction under these assumptions. For example composing more systems to an existing assembly 
strengthens the specification (in the sense that it decreases the set of models). 

These observations apply out of the box to theories of Constraint Markov Chains [ ] and modal 
transition systems (scattered across multiple papers [9, 10, 11, 8]). It would also apply to a natural theory 
that one could build with finite automata and language inclusion as refinement. 
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The existence of a universal specification requires an implicit closed-world assumption of a kind, 
which tends to hold in specification theories with a single-player semantics, like the above listed. Such 
theories do not distinguish between choices made by the component, and choices set by the environment 
in which it operates. In contrast one cannot always assume existence of a single largest specification when 
modeling under the open- world assumption. Consequently the above relation between parallel composition 
and conjunction does not hold for two-player specification theories such as Interface Automata [ ], Timed 
Interfaces [ ] or Timed I/O Automata [ ]. For these models we can spot an interesting duality between 
the two operators. 

Type theories, and older specification theories used in verification typically focus on universal 
correctness using a pessimistic composition, i.e. two systems are compatible, if under no circumstances 
their execution can lead to an eiTor. In [ ] Alfaro and Henzinger propose an optimistic composition 
operator, which stipulates that two components are compatible as long as there exists a context in which 
they will not fail. In [ , 1] this duality between optimistic-pessimistic is investigated further. In [ ] we 
observe that the pessimistic composition is obtained by synthesizing a winning strategy for the player 
representing the system, while the optimistic composition is obtained by synthesizing a winning strategy 
for the player representing the environment. 

Furthermore, the two compositions suit well two different use cases. When an implementer receives a 
contract specification for the component, the environment assumptions are given, while some choices in 
the implementation still remain under his control. Thus if constructing specifications for implementers the 
pessimistic composition is more suitable. In practice this means that conjunction should be computed as 
the strategy for the component, since conjunction is a natural way of constructing a contract. 

Dually, the user of the component typically cannot influence the component itself, but can change 
the details of how it is used. This is why the optimistic composition is more suitable when synthesizing 
implementations for the users of black-box components. In this scenario parallel composition is the natural 
composition operator, and since the usage scenario is the only element under control, the composition is 
computed as the winning strategy for the environment player. 



2 A Single Player Setting 

In the following let S be a universe of specifications. 



Al Let (<) C (S X S) be a binary relation on this universe. We call it a refinement. Our refinement 
induces an equivalence on specifications: A = BiffA<B and B <A. 

We assume that < is a pre-order (reflexive and transitive). 



A2 



A3 We postulate existence of a universal specification U, such that A < U for all AGS. 



A4 I Let conjunction be a binary operator: A : S x S — )■ S. 
AS Conjunction is total : A A B is defined for all A, B G S. 
A6 Conjunction is commutative: A AB < BAA for afl A,B G S. 
Conjunction is the greatest lower bound with respect to <: 
at] A AB < A and A AB < B for all A,B G S. 



A8 If C<AandC<BthenC<AAB 



A9 Another operator (|) : S x S — )• S is called parallel composition. 
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AlOl Total: A | B is defined for all A,B £ S.^ 



All Commutative: A I B < B I A for all A, B. 



All Refinement is a precongruence for the contexts defined by parallel composition, so: 

A <BimpliesthatA I C<B I C (1) 

We additionally require that U is a unit of parallel composition: 



A 13 A I U < A for all specifications A 

At first the above may appear a strong requirement, but in fact this is very natural, and holds in many 
specification theories. For example if ' | ' is a product of automata then the product of A with a universal 
automaton U gives A again. In a more complicated scenario of CCS-like synchronizations where alphabets 
of A and U may differ, the refinement enforces alphabet equalization, which normally is defined by A | U 
and automatically gives the above. 

Theorem I. A\B <AAB 

Proof. Note that A < U so by precongruence A\B<[J\B<B (the latter by assumptions Al 1 and A13). 
We conclude similarly that A | B < A and since conjunction is the greatest lower bound A \ B <AAB. □ 

As an example, observe that assumptions of Thm. 1 hold for a theory build around Constraint Markov 
Chains [6], Modal Specifications (not fully built in any paper, but results are scattered across more papers 
[9, 10, 11, 8]), or just finite automata with language inclusion as refinement. 

The condition A13, that A | U < A, is in fact the sufficient and necessary condition for Thm. 1 to hold, 
in the following sense. 

Theorem 2. If the universal element exists, and the refinement is a precongruence, and conjunction is the 
greatest lower bound, but A | U ^ A then not necessarily A\B <Af\B. hold. 

This is easy to show by contradiction. Assume A | U < A A U but A | U ^ A. Then A A U < A, so 
A| U<AAU<AsoA| U< a — contradiction. Since the other conditions are typically required of any 
well structured specification theory, we conclude that if the universal specification exists then A | U < A is 
the sufficient and necessary condition for the parallel composition being always stronger than conjunction. 

There is an interesting open question left by the above observations. We do know that the parallel 
composition, under certain conditions, is stronger than conjunction. However conjunction fulfills all the 
axioms of parallel composition in this setting (precongruence in particular). It would be interesting to 
explain more precisely what is it that makes parallel composition stronger than conjunction, and what is 
the weakest parallel composition that is interesting. 

A14 Define the quotient of conjunction 5 A to be a greatest (with respect to <) specification X such 
that A AX <B. 



A15 Define the quotient of parallel composition B \l A to be a greatest (with respect to <) specification 
X such that A\X<B. 

For the moment ignore the problem that a unique quotient (up to the equivalence induced by <) may 
not exist. We will come back to this later. 



'Totality of parallel composition is not strictly needed, but added to this note to simplify assumptions of further theorems and 
properties — in principle it is enough to always assume existance of parallel compositions in question. 
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Theorem 3. Consider arbitrary specifications A and B. IfB\^A and B \ I A are both defined ( uniquely up 
to equivalence induced by <) then B\^A <B\Ia. 

Proof. Observe thatA | {B\^A) <AA{B\^A) <B. So by uniqueness and maximality of B\l A we must 
have that B\'^A<B\lA(as the former also fulfils the condition of the latter). □ 

It is more interesting to ask the question of quotient's existance. 
Assume that conjunction has a null element, so: A A0 < 0. 



A16 



A17 Assume that V is a total least upperbound operator in specifications (a disjunction): 



A18 A < C and B < C implies that A V5 < C 
A <AVBandB<AVB. 



A19 



A20 Assume that conjunction distributes over disjunction, so: (A AXi ) V (A AX2) < B implies A A (Xi V 



X2) < B. 

Theorem 4. In specification theories, where the conjunction distributes over disjunction ( in the sense 
of the above) we have that quotient always exists for conjunction (so B\^A is uniquely defined up to 
equivalence), if disjunction (lub) is defined for arbitrary (also infinite) sets. 

Proof. First observe that is always a good quotient candidate. 

If there is more than one quotient candidate then a least upper bound of all of them also fulfils the 
definition. So we take the quotient to be the least upper bound of all those that fulfill the definition. □ 

We have been unable to find generic conditions for existence of quotient for parallel composition. 

We shall now investigate associativity of conjunction and parallel composition. Order theory tells us 
that conjunction is associative: 

Theorems. (A AB) AC < A A (B AC) 

Proof By A7: (A AS) A C < C 

By A7 again: (A AS) AC < A AB < A 
Similarly: (AAB)AC<B 
ByA8: (AAB) AC< (BAC) 

By A8 again: (AAB)AC<AA(BAC) □ 

To investigate associativity of parallel composition we additionally assume that parallel composition 
is idempotent: 



A21 1 For all specifications A G S have A < A | A. 

Note that the opposite A | A < A already follows from Theorem 1 and idempotence of conjunction. Now 
we obtain the following: 

Theorem 6. For all specifications A, B, and C we have (A | B) | C < A | (B | C). 

Proof. B I C > (A I B) I C by Theorem 1 , A7 and precongruence. 

A I (B I C) > A I [(A I B) I C] > (A I B) I [(A I B) I C] > [(A | B) | C] | [(A | B) | C] > (A | B) | C. The 
last step is by idempotence of ' |'. □ 
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Observe that the above theorem, precongruence and commutativity of parallel composition also 
implies that A \ {B \ C) < {A\ B) \ C, which completes the expected property of associativity: 

A\{B\C)<{C\B)\A<C\{B\A)<{A\B)\C 

3 In a Two-Player Game Setting 

It turns out that the assumptions of the previous section do not hold for a particular class of theories — those 
based on two player games. For example there does not exist a universal interface automaton [ ] while a 
universal timed specification [7], if any was proposed, would not fulfill A | U < A. Let us explain below, 
why this is the case. 

Specifications with a game semantics, separate actions into controllable by the component (outputs) 
and by the environment (inputs). In such settings the parallel composition is only possible for two 
components, for which the controllable parts of the alphabet do not overlap — otherwise we have a control 
conflict. This is not required for conjunction, so conjunction exists more often than parallel composition 
in such theories (and assumption AlO is violated). In particular this means that A | U would typically need 
to have both an alphabet identical to A and different than A (for example in interface automata). 

Moreover an optimistic parallel composition [ ] is specified as a maximum wining strategy for the 
input player (the player corresponding to the context of the composition) in a safety game. Dually 
conjunction is constructed as a maximum winning strategy for the output player (the player representing 
the conjunction component itself) in a safety game. This duality expresses very well the difference 
between the two operators. The former is concerned with correct use of the result — and use is the domain 
of the context per se. The latter is concerned with the realization of two specifications — this clearly should 
be resolved within the component, and not within the environment. 

We have fully developed this principle, when working on a real time specification theory [7]. 

4 Concluding Remarks and Future Work 

The remarks placed in this short paper are clearly very preliminary. It is our intention to investigate more 
in depth algebraic structures underlying specification theories, and use this study to better survey existing 
theories, and to systematize the design of the new ones. 
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